<html>
<head><meta charset="utf-8"><title>crate security · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html">crate security</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="148381659"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148381659" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148381659">(Nov 26 2018 at 17:10)</a>:</h4>
<p>fun case study <a href="https://github.com/dominictarr/event-stream/issues/116" target="_blank" title="https://github.com/dominictarr/event-stream/issues/116">https://github.com/dominictarr/event-stream/issues/116</a></p>



<a name="148388128"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148388128" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148388128">(Nov 26 2018 at 18:45)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span> Does that problem exist because Node doesn't have a Cargo.lock-like mechanism, or just because of the culture of not reviewing dependencies when updating the lock file?</p>



<a name="148388500"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148388500" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148388500">(Nov 26 2018 at 18:49)</a>:</h4>
<p><code>npm</code> does have a locking mechanism. Additionally, it's very easy to accidentally do a <code>cargo update</code> in Rust by simply adding dependencies in your <code>Cargo.toml</code> and then using <code>cargo build</code>.</p>



<a name="148388745"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148388745" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148388745">(Nov 26 2018 at 18:53)</a>:</h4>
<p><span class="user-mention" data-user-id="132723">@Zach Reizner</span> <code>cargo build</code> shouldn't do <code>cargo update</code> itself for this reason. There has to be a time after the lock file is updated before the build starts to verify that, you know, you're not pwning your system.</p>



<a name="148388997"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148388997" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148388997">(Nov 26 2018 at 18:56)</a>:</h4>
<p><span class="user-mention" data-user-id="133214">@briansmith</span> Perhaps I'm misunderstanding what's actually going on. If one adds a dependency to <code>Cargo.toml</code> and then runs <code>cargo build</code>, the <code>Cargo.lock</code> is updated before building the crate.</p>



<a name="148389042"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148389042" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148389042">(Nov 26 2018 at 18:56)</a>:</h4>
<p><span class="user-mention" data-user-id="133214">@briansmith</span> I'd go with the latter, that nobody reviews dependencies before updating them, but even if that were to happen in this particular case, the payload was hidden in minified JS so it wouldn't have been easy to see</p>



<a name="148389087"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148389087" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148389087">(Nov 26 2018 at 18:58)</a>:</h4>
<p>It looks shockingly similar to the theoretical hack outlined here: <a href="https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5" target="_blank" title="https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5">https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5</a></p>



<a name="148389340"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148389340" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148389340">(Nov 26 2018 at 19:01)</a>:</h4>
<p><a href="https://github.com/bitpay/copay/issues/9346" target="_blank" title="https://github.com/bitpay/copay/issues/9346">https://github.com/bitpay/copay/issues/9346</a> &lt;--- target appears to be cryptocurrency wallets</p>



<a name="148389381"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148389381" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148389381">(Nov 26 2018 at 19:01)</a>:</h4>
<p>also re: npm and lockfiles, it has one</p>



<a name="148389494"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148389494" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148389494">(Nov 26 2018 at 19:03)</a>:</h4>
<p>the attack only affects people who update, but it sounds like the payload wound up in a version which was up for awhile</p>



<a name="148799636"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148799636" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148799636">(Nov 29 2018 at 16:47)</a>:</h4>
<p>"fun thread" <a href="https://users.rust-lang.org/t/how-does-crates-io-differ-from-npm/22658" target="_blank" title="https://users.rust-lang.org/t/how-does-crates-io-differ-from-npm/22658">https://users.rust-lang.org/t/how-does-crates-io-differ-from-npm/22658</a></p>



<a name="148799701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148799701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148799701">(Nov 29 2018 at 16:48)</a>:</h4>
<p>I'm surprised how passionate some people are about <strong>not</strong> sandboxing <code>build.rs</code></p>



<a name="148799725"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148799725" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148799725">(Nov 29 2018 at 16:48)</a>:</h4>
<blockquote>
<p>So even a perfect sandbox is still a total dick move towards end users and will spread malware far and wide</p>
</blockquote>



<a name="148799734"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148799734" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148799734">(Nov 29 2018 at 16:48)</a>:</h4>
<p><span class="emoji emoji-1f615" title="confused">:confused:</span></p>



<a name="148815848"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/148815848" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#148815848">(Nov 29 2018 at 20:22)</a>:</h4>
<p>I think it would be good to see a concrete proposal for sandboxing that includes a clear threat model. Perhaps starting with the Bazel design as a reference. Then we can see how useful it would be.</p>



<a name="152123695"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152123695" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152123695">(Dec 18 2018 at 17:22)</a>:</h4>
<p>TIL: <a href="https://github.com/dpc/crev/tree/master/cargo-crev" target="_blank" title="https://github.com/dpc/crev/tree/master/cargo-crev">https://github.com/dpc/crev/tree/master/cargo-crev</a></p>



<a name="152123709"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152123709" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152123709">(Dec 18 2018 at 17:23)</a>:</h4>
<p>just hopped in their gitter channel</p>



<a name="152132954"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152132954" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152132954">(Dec 18 2018 at 19:46)</a>:</h4>
<p>It's a lot more sane than most proposed solutions to the trust problem. I can see this approach being viable for e.g. a company that wants to audit third-party code they use.</p>



<a name="152133933"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152133933" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152133933">(Dec 18 2018 at 20:02)</a>:</h4>
<p>seems to raise the question of whether you trust the reviewers :)</p>



<a name="152133942"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152133942" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152133942">(Dec 18 2018 at 20:02)</a>:</h4>
<p>still, interesting concept</p>



<a name="152134087"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152134087" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152134087">(Dec 18 2018 at 20:05)</a>:</h4>
<p>web of trust concept hasn't really worked out for PGP, but that's inconclusive because PGP is held back by its UI, or rather lack thereof</p>



<a name="152134102"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152134102" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152134102">(Dec 18 2018 at 20:05)</a>:</h4>
<p>Still, for a commercial company I can see this being viable</p>



<a name="152136732"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152136732" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152136732">(Dec 18 2018 at 20:43)</a>:</h4>
<p><span class="user-mention" data-user-id="116009">@nikomatsakis</span> haha, I just asked that</p>



<a name="152136736"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152136736" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152136736">(Dec 18 2018 at 20:43)</a>:</h4>
<blockquote>
<p>any thoughts about sybil attacks on a tool like this? e.g. someone maintaining a bot army which generates false reviews for the purposes of making a crate which contains a malicious payload appear reviewed</p>
</blockquote>



<a name="152136746"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152136746" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152136746">(Dec 18 2018 at 20:43)</a>:</h4>
<p>(in their Gitter, guess I'll see!)</p>



<a name="152145291"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145291" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145291">(Dec 18 2018 at 22:58)</a>:</h4>
<p>Oh, there is no way around people making lots of fake reviews on malicious crates. No amount of identity management would prevent it. I can still sybil it to hell and back.<br>
What they're building here is not a new concept, it's a basic web of trust. All the research in the past 30 years done on web of trust concept and in the past 15 years on PGP applies here.<br>
In such a system the amount of reviews should not be a factor at all. The only factor is the count of people <em>whom you trust.</em></p>



<a name="152145339"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145339" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145339">(Dec 18 2018 at 22:59)</a>:</h4>
<p>And it would work well only if you have a small number of trusted people who review incoming code, like a commercial company's security department or some such. Then you can use it to determine if it's okay to use or not, in the sense that it's been reviewed by your security department.</p>



<a name="152145638"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145638" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145638">(Dec 18 2018 at 23:04)</a>:</h4>
<p>You know, if I wanted to take over systems running Rust, I'd just make a PR against the stdlib optimizing or refactoring some important function, with a non-obvious bug. That's the cheapest option right now, and is already proven to work well.</p>



<a name="152145673"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145673" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145673">(Dec 18 2018 at 23:04)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> yeah asked and got "It's WoT" back and had this to say:</p>



<a name="152145676"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145676" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145676">(Dec 18 2018 at 23:05)</a>:</h4>
<blockquote>
<p>alrighty. I am generally skeptical of WoT efforts, but I think the problems they have might be solvable with a sufficiently good user experience. so good luck!</p>
</blockquote>



<a name="152145708"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145708" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145708">(Dec 18 2018 at 23:05)</a>:</h4>
<p>But assuming I wanted to inject malicious code into a crate and then claim it's all good... yeah, I still probably wouldn't bother with messing with this trust concept because it's very easy to sneak fatal bugs through code review, humans just ain't good at dealing with unsafe code.<br>
And there is no penalty for trying.</p>



<a name="152145713"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145713" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145713">(Dec 18 2018 at 23:05)</a>:</h4>
<p>regarding the "All the research in the past 30 years done on web of trust concept and in the past 15 years on PGP applies here.", well... I've been to SOUPS, and the research into that does not paint a good picture</p>



<a name="152145770"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145770" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145770">(Dec 18 2018 at 23:06)</a>:</h4>
<p>I'd still like to hope it can be solved with "sufficiently good UX"</p>



<a name="152145792"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145792" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145792">(Dec 18 2018 at 23:07)</a>:</h4>
<p>which is definitely easier in a greenfield system than something like PGP <span class="emoji emoji-1f609" title="wink">:wink:</span></p>



<a name="152145909"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152145909" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152145909">(Dec 18 2018 at 23:10)</a>:</h4>
<p>that said, I'll definitely be trying it out</p>



<a name="152146030"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146030" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146030">(Dec 18 2018 at 23:11)</a>:</h4>
<p><span class="user-mention" data-user-id="127617">@Shnatsel</span> as it were, I just saw an elliptic curve-based ZKP system containing a flaw that seemed obvious to me get professionally reviewed by several well-respected cryptographers and cryptography services groups...</p>



<a name="152146088"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146088" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146088">(Dec 18 2018 at 23:12)</a>:</h4>
<p>...it took something like 4 audits before one of the reviewers (QuarksLab) wrote up the issue I was concerned with</p>



<a name="152146096"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146096" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146096">(Dec 18 2018 at 23:12)</a>:</h4>
<p>(they do good work, we used them at Square)</p>



<a name="152146141"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146141" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146141">(Dec 18 2018 at 23:13)</a>:</h4>
<p>What's SOUPS?</p>



<a name="152146215"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146215" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146215">(Dec 18 2018 at 23:15)</a>:</h4>
<p>SOUPS is a security-oriented UX research conference</p>



<a name="152146218"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146218" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146218">(Dec 18 2018 at 23:15)</a>:</h4>
<p>it's sort of like the UX research side of PETS</p>



<a name="152146228"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146228" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146228">(Dec 18 2018 at 23:16)</a>:</h4>
<p>Woah, I'm glad that exists</p>



<a name="152146305"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146305" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146305">(Dec 18 2018 at 23:17)</a>:</h4>
<p>WoT will never work as a public system because first, it's not that hard to write underhanded code that does malicious things while passing review (see underhanded Rust competition), and second, it's not that hard to establish yourself as a trustworthy guy in the community and make people treat your signature as trusted.</p>



<a name="152146375"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146375" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146375">(Dec 18 2018 at 23:18)</a>:</h4>
<p>WoT kind of works in a company with a sorta-trusted security department, but the point about underhanded code still stands</p>



<a name="152146472"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146472" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146472">(Dec 18 2018 at 23:20)</a>:</h4>
<p>formal proofs of certain properties about the code might help there, but even those hinge on certain assumptions that can be violated, and I guess I could sneak a vulnerability past that as well if I really wanted. But a pull request with an exploit against stdlib is still cheaper.</p>



<a name="152146476"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146476" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146476">(Dec 18 2018 at 23:20)</a>:</h4>
<p>in terms of actual mechanisms built on a WoT model, there aren't a whole lot of success stories</p>



<a name="152146508"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146508" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146508">(Dec 18 2018 at 23:21)</a>:</h4>
<p>PGP in particular is quite confusing with its multitude of similarly named trust levels</p>



<a name="152146689"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146689" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146689">(Dec 18 2018 at 23:24)</a>:</h4>
<p><a href="https://www.phildev.net/pgp/gpgtrust.html" target="_blank" title="https://www.phildev.net/pgp/gpgtrust.html">https://www.phildev.net/pgp/gpgtrust.html</a></p>



<a name="152146702"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146702" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146702">(Dec 18 2018 at 23:24)</a>:</h4>
<p>"marginally", "fully", and "ultimately" heh</p>



<a name="152146722"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146722" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146722">(Dec 18 2018 at 23:25)</a>:</h4>
<blockquote>
<p>...valid keys, meaning one of the following:<br>
- You have signed it personally<br>
- It has been signed by one fully trusted key<br>
- It has been signed by three marginally trusted keys</p>
</blockquote>



<a name="152146831"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152146831" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152146831">(Dec 18 2018 at 23:27)</a>:</h4>
<p>It was always confusing and signing required command line and was always a hassle. Oh and it's not immediately obvious to people that signing in PGP only verifies that this public key belongs to this person but not that you can trust signatures made by this public key... I could go on and on about all the ways PGP is dysfunctional.</p>



<a name="152201697"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152201697" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152201697">(Dec 19 2018 at 18:16)</a>:</h4>
<p>interesting <a href="https://twitter.com/FiloSottile/status/1075429069888598016" target="_blank" title="https://twitter.com/FiloSottile/status/1075429069888598016">https://twitter.com/FiloSottile/status/1075429069888598016</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/FiloSottile/status/1075429069888598016" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/1028703543174225920/3cm3bMWC_normal.jpg"></a><p>I am very excited for the modules authentication story we are building. With its auditable transparency log I hope it will be the most secure-by-default package management solution of a popular language. <a href="https://t.co/mNoefzZQk1" target="_blank" title="https://t.co/mNoefzZQk1">https://blog.golang.org/#TOC_5%2E</a> <a href="https://t.co/QhMjqiOtLH" target="_blank" title="https://t.co/QhMjqiOtLH">https://twitter.com/golang/status/1075413970037760001</a></p><span>- Filippo Valsorda (@FiloSottile)</span></div></div>



<a name="152201718"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152201718" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152201718">(Dec 19 2018 at 18:17)</a>:</h4>
<p>I guess Filippo is writing a custom Trillian personality for "binary transparency"-like purposes</p>



<a name="152201849"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/152201849" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#152201849">(Dec 19 2018 at 18:19)</a>:</h4>
<p>I guess the <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> index sort of gives you something similar... unfortunately git is awful</p>



<a name="166217670"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166217670" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166217670">(May 21 2019 at 22:09)</a>:</h4>
<p>crate dependency permissions coming up again: <a href="https://internals.rust-lang.org/t/cargo-permissions-to-detect-tampered-dependecies/10236" target="_blank" title="https://internals.rust-lang.org/t/cargo-permissions-to-detect-tampered-dependecies/10236">https://internals.rust-lang.org/t/cargo-permissions-to-detect-tampered-dependecies/10236</a></p>



<a name="166217738"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166217738" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166217738">(May 21 2019 at 22:10)</a>:</h4>
<p>my list of the previous topics along the same lines grows longer and longer</p>



<a name="166253199"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166253199" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166253199">(May 22 2019 at 10:00)</a>:</h4>
<p>So I was thinking about this as well and I had some kind of idea:</p>
<p>I can imagine people should yank crates when a security vulnerability is present, or a bad bug. Old versions of a library would not be yanked (unless they are so deprecated that they cannot work with other crates anymore).</p>
<p>What about creating some kind of platform, let's call it amiyanked for now, that iterates through the tree of dependencies to check for yanked crates. So if a specific crate depends on a yanked dependency it is marked "should be updated/yanked". After all, that crate might also be vulnerable or might depend on a bugged crate. If we do this iteratively we get a list of crates that should be yanked / updated as well. </p>
<p>Since crates also specify the email of each author we could even use their email addresses to send them automatic notifications when one of their dependencies has been yanked. (Not sure if that is against any privacy rules, but it would be nice).</p>
<p>This way we could maybe keep the eco system at least aware of threats and potentially more safe as well? I guess if many people use crate A that depends on vulnerable crate B, people are likely to but a bit more pressure or effort into having crate A update its dependency to crate B, whereas now people still have to manually find that out themselves.</p>
<p>What do you think?</p>



<a name="166279663"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166279663" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166279663">(May 22 2019 at 15:33)</a>:</h4>
<p><span class="user-mention" data-user-id="213094">@DevQps</span> I had proposed something similar as a way that Cargo-proper could have a minimum viable RustSec integration</p>



<a name="166281192"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166281192" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166281192">(May 22 2019 at 15:49)</a>:</h4>
<p><a href="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14?u=bascule" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14?u=bascule">https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017/14?u=bascule</a></p>



<a name="166281313"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166281313" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166281313">(May 22 2019 at 15:50)</a>:</h4>
<p>the core idea is giving users some feedback about yanked crates. I suggested doing it during <code>cargo build</code> and that put some people off</p>



<a name="166281344"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166281344" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166281344">(May 22 2019 at 15:50)</a>:</h4>
<p>it seems like something where it could be a periodic nag, like once a day or something</p>



<a name="166454548"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/166454548" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> DevQps <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#166454548">(May 24 2019 at 13:55)</a>:</h4>
<p>I think that would be quite a good idea. Developers need some kind of nudge or hint that they should yank their crates and update them as well I guess.</p>



<a name="168224138"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168224138" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gerardo Di Giacomo <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168224138">(Jun 15 2019 at 21:40)</a>:</h4>
<blockquote>
<p>the core idea is giving users some feedback about yanked crates. I suggested doing it during <code>cargo build</code> and that put some people off</p>
</blockquote>
<p>doesn't npm do it now?</p>



<a name="168349800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168349800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168349800">(Jun 17 2019 at 21:36)</a>:</h4>
<p>do what now? have integrated security audit functionality?</p>



<a name="168349821"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168349821" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168349821">(Jun 17 2019 at 21:36)</a>:</h4>
<p>the important part is doing it for <code>cargo build</code> and not just <code>cargo update</code></p>



<a name="168414333"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168414333" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> defunct <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168414333">(Jun 18 2019 at 15:51)</a>:</h4>
<p>not to suggest any sort gatekeeping here but it does seem that some sort of committee for security related confidence scoring for crates might be beneficial to prevent uninformed users from making bad design decisions, something that also takes into consideration downstream deps, previous vuln history, clearly poorly written crates.  it would be nice to prevent senseless dep explosion that increase attack surface in general. obviously would need a relatively high level of automation for the entire process to be sustainable. - (didn't read all of the backlog, apologies if this has been brought up before)</p>



<a name="168416385"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168416385" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168416385">(Jun 18 2019 at 16:12)</a>:</h4>
<p><span class="user-mention" data-user-id="218492">@defunct</span> yeah there's been a lot of talk about ideas along those lines</p>



<a name="168417038"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168417038" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> defunct <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168417038">(Jun 18 2019 at 16:22)</a>:</h4>
<p><span class="user-mention" data-user-id="132721">@Tony Arcieri</span>  ah thanks, any chance there a WIP documentation / RFC proposal for potential requirements and implementation for the topic or just discussion for now?</p>



<a name="168417276"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168417276" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168417276">(Jun 18 2019 at 16:25)</a>:</h4>
<p>some ideas along those lines here <a href="https://blog.rust-lang.org/2017/05/05/libz-blitz.html" target="_blank" title="https://blog.rust-lang.org/2017/05/05/libz-blitz.html">https://blog.rust-lang.org/2017/05/05/libz-blitz.html</a></p>



<a name="168580897"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168580897" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168580897">(Jun 20 2019 at 09:41)</a>:</h4>
<p>And this thread is also solved by cargo-crev: <a href="https://github.com/dpc/crev" target="_blank" title="https://github.com/dpc/crev">https://github.com/dpc/crev</a></p>



<a name="168581158"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168581158" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168581158">(Jun 20 2019 at 09:45)</a>:</h4>
<p>I am really tempted to start using that and file  a "this is dangerous" for libflate. Reasons being:<br>
<a href="https://github.com/sile/libflate/issues/16" target="_blank" title="https://github.com/sile/libflate/issues/16">https://github.com/sile/libflate/issues/16</a><br>
<a href="https://github.com/sile/libflate/issues/29" target="_blank" title="https://github.com/sile/libflate/issues/29">https://github.com/sile/libflate/issues/29</a><br>
<a href="https://github.com/sile/libflate/issues/31" target="_blank" title="https://github.com/sile/libflate/issues/31">https://github.com/sile/libflate/issues/31</a><br>
And there is probably more where that came from.<br>
I was horrified when it showed up on crates-audit as a dependency of reqwest, but fortunately it's just a dev dependency.</p>



<a name="168595705"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168595705" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168595705">(Jun 20 2019 at 13:37)</a>:</h4>
<p>Oh hey look, I've found another memory safety bug: <a href="https://github.com/sile/libflate/issues/33" target="_blank" title="https://github.com/sile/libflate/issues/33">https://github.com/sile/libflate/issues/33</a><br>
This one might be actually exploitable.</p>



<a name="168596187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168596187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168596187">(Jun 20 2019 at 13:42)</a>:</h4>
<p>oof</p>



<a name="168606717"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168606717" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168606717">(Jun 20 2019 at 15:36)</a>:</h4>
<blockquote>
<p>I am really tempted to start using that and file  a "this is dangerous" for libflate. Reasons being:<br>
<a href="https://github.com/sile/libflate/issues/16" target="_blank" title="https://github.com/sile/libflate/issues/16">https://github.com/sile/libflate/issues/16</a><br>
<a href="https://github.com/sile/libflate/issues/29" target="_blank" title="https://github.com/sile/libflate/issues/29">https://github.com/sile/libflate/issues/29</a><br>
<a href="https://github.com/sile/libflate/issues/31" target="_blank" title="https://github.com/sile/libflate/issues/31">https://github.com/sile/libflate/issues/31</a><br>
And there is probably more where that came from.<br>
I was horrified when it showed up on crates-audit as a dependency of reqwest, but fortunately it's just a dev dependency.</p>
</blockquote>
<p>In issue 16 why do you set detect_odr_violation=0?  I haven't run into that in rust, what can trigger it?</p>



<a name="168607295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168607295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168607295">(Jun 20 2019 at 15:43)</a>:</h4>
<p>I have no idea what it is, seems to be some kind of check specific to C++. I used to get it randomly on seemingly benign code, so I've disabled it.</p>



<a name="168607626"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168607626" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168607626">(Jun 20 2019 at 15:47)</a>:</h4>
<p>...which does not sound reassuring</p>



<a name="168607811"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168607811" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168607811">(Jun 20 2019 at 15:49)</a>:</h4>
<p>I've heard of a few other rust specific asan rust specific false positives so it doesn't bother me too much.  Specifically around zero sized types.  I haven't hit them personally though</p>



<a name="168609341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168609341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168609341">(Jun 20 2019 at 16:06)</a>:</h4>
<p>Alternatives to libflate are:<br>
1. inflate, which I've already cleansed of unsafe blocks save one, and found a bug in that one, so I'm not really worried about it. But it's even slower.<br>
2. miniz_oxide, which has withstood my fuzzing attempts admirably, including differential fuzzing with libdiffuzz. It's much faster. I've opened the code now and... it's not reassuring.</p>



<a name="168609639"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168609639" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168609639">(Jun 20 2019 at 16:11)</a>:</h4>
<p><a href="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L314" target="_blank" title="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L314">https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L314</a> - this makes an assumption that is only true for allocations made with stdlib containers<br>
<a href="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L280" target="_blank" title="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L280">https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L280</a> - same here but not explicitly noted. Could be exploitable if writing to user-supplied buffer<br>
"check if this is safe" TODOs:<br>
<a href="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L370" target="_blank" title="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L370">https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L370</a><br>
<a href="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L572" target="_blank" title="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L572">https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L572</a></p>



<a name="168610222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168610222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168610222">(Jun 20 2019 at 16:18)</a>:</h4>
<p>This function is very weird: <br>
<a href="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L276" target="_blank" title="https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L276">https://github.com/Frommi/miniz_oxide/blob/master/miniz_oxide/src/deflate/core.rs#L276</a><br>
It doesn't use <code>pos</code> argument in any meaningful way, it seems superfluous. Also I don't understand what <code>#[cfg(all(target_endian = "little", test))]</code> does, I thought <code>#[cfg(test)]</code> should only be used for modules?<br>
Does anyone understand what's happening in this code?</p>



<a name="168612581"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168612581" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168612581">(Jun 20 2019 at 16:47)</a>:</h4>
<p>The <code>#[cfg(test)]</code> means that  function is only called in code that's also <code>#[cfg(test)]</code> (so the test module below)</p>



<a name="168612704"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168612704" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168612704">(Jun 20 2019 at 16:49)</a>:</h4>
<p>but I don't know what's going on with <code>pos</code>, presumably they meant to write a <code>u16</code> to <code>slice[pos..=pos+1]</code> but forgot to add the offset?</p>



<a name="168612834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168612834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168612834">(Jun 20 2019 at 16:50)</a>:</h4>
<p>AFAICT it's only called with <code>pos = 0</code>, so luckily for them nothing breaks.</p>



<a name="168612932"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168612932" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dylan MacKenzie (ecstatic-morse) <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168612932">(Jun 20 2019 at 16:51)</a>:</h4>
<p>Based on the surrounding code, they forgot to call <code>offset(pos)</code></p>



<a name="168613742"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168613742" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168613742">(Jun 20 2019 at 17:02)</a>:</h4>
<p>Thanks! I'll file an issue on github.<br>
But this is still not reassuring. And flate2 is by far the most popular gzip/zlib crate.</p>



<a name="168614497"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168614497" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168614497">(Jun 20 2019 at 17:13)</a>:</h4>
<p>Okay, opened a PR: <a href="https://github.com/Frommi/miniz_oxide/pull/45" target="_blank" title="https://github.com/Frommi/miniz_oxide/pull/45">https://github.com/Frommi/miniz_oxide/pull/45</a></p>



<a name="168614808"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168614808" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168614808">(Jun 20 2019 at 17:16)</a>:</h4>
<p>Also not reassuring - looks like they have some kind of underlying allocator corruption going on, or are mixing regions allocated from C and from Rust: <a href="https://github.com/Frommi/miniz_oxide/issues/14" target="_blank" title="https://github.com/Frommi/miniz_oxide/issues/14">https://github.com/Frommi/miniz_oxide/issues/14</a><br>
This has been open for ages and is tagged <strong>help wanted</strong>, so looks like miniz_oxide devs aren't going to fix it. I don't think I'm competent enough either. Any takers?</p>



<a name="168753156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168753156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168753156">(Jun 22 2019 at 14:29)</a>:</h4>
<p>Oh, here's an interesting pull request for <code>miniz_oxide</code>: <a href="https://github.com/Frommi/miniz_oxide/pull/36" target="_blank" title="https://github.com/Frommi/miniz_oxide/pull/36">https://github.com/Frommi/miniz_oxide/pull/36</a><br>
It fixes some segfaults because of "type confusion", but I'm not sure if that is exploitable in a context other than DoS. It's not merged, so the bug still exists.<br>
Is anyone interested in evaluating the impact? This crate has 180,000 downloads per month, so if this is exploitable this would be a high-profile vulnerability by Rust standards.</p>



<a name="168753261"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168753261" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168753261">(Jun 22 2019 at 14:32)</a>:</h4>
<p>Depends what types you can confuse. If you can confuse something where you've got a user-controlled int at the same offset as a pointer that's a potentially very powerful exploit primitive</p>



<a name="168779833"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168779833" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168779833">(Jun 23 2019 at 05:40)</a>:</h4>
<p>I had a bout of insomnia, so I've poked miniz_oxide some more. Lo and behold, a buffer overflow on write<br>
<a href="https://github.com/Frommi/miniz_oxide/pull/47" target="_blank" title="https://github.com/Frommi/miniz_oxide/pull/47">https://github.com/Frommi/miniz_oxide/pull/47</a><br>
Now to figure out if this is actually exploitable</p>



<a name="168805889"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168805889" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168805889">(Jun 23 2019 at 19:49)</a>:</h4>
<p>Ooooh hey look, another vulnerability in <code>smallvec</code>: <a href="https://github.com/servo/rust-smallvec/issues/148" target="_blank" title="https://github.com/servo/rust-smallvec/issues/148">https://github.com/servo/rust-smallvec/issues/148</a></p>



<a name="168805892"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168805892" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168805892">(Jun 23 2019 at 19:49)</a>:</h4>
<p>Without an advisory, too</p>



<a name="168809433"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168809433" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168809433">(Jun 23 2019 at 21:47)</a>:</h4>
<p>Any reason not to just file an advisory yourself?</p>



<a name="168809489"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168809489" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168809489">(Jun 23 2019 at 21:49)</a>:</h4>
<p>I want to educate SmallVec maintainers. Also, I'm too lazy to go in and try to track down when was the vulnerability introduced to understand which versions are affected</p>



<a name="168809560"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168809560" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168809560">(Jun 23 2019 at 21:50)</a>:</h4>
<p>Also, speaking of type confusion in <code>miniz_oxide</code>: it's known to cause a double free, so probably exploitable. Still not fixed. <a href="https://github.com/Frommi/miniz_oxide/pull/36" target="_blank" title="https://github.com/Frommi/miniz_oxide/pull/36">https://github.com/Frommi/miniz_oxide/pull/36</a> - PR actually not ready for merging</p>



<a name="168992039"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168992039" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168992039">(Jun 26 2019 at 01:14)</a>:</h4>
<p>Threat estimation question: calling <code>drop()</code> on uninitialized memory could lead to arbitrary code execution in the worst case, right?</p>



<a name="168992041"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168992041" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168992041">(Jun 26 2019 at 01:14)</a>:</h4>
<p>I'm observing it on interesting non-Copy types like BufReader</p>



<a name="168992112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168992112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168992112">(Jun 26 2019 at 01:16)</a>:</h4>
<p>On an arbitrary type? Sure, it easily potentially triggers UAF, also can be basically any other sort of memory corruption.</p>



<a name="168992433"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/168992433" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#168992433">(Jun 26 2019 at 01:25)</a>:</h4>
<p>Thanks, UAF is a good way to put it. This is also in <code>libflate</code> crate, for reference. Filing an issue now.</p>



<a name="169136276"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/169136276" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#169136276">(Jun 27 2019 at 13:50)</a>:</h4>
<p>Okay, I am done auditing <code>libflate</code>. I have PRs outstanding for removing most unsafe blocks, and I've reported vulnerabilities in the rest of them to the maintainer. So now we just wait for me or the maintainer or myself to come up with fixes.</p>



<a name="169411062"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/169411062" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#169411062">(Jul 01 2019 at 16:50)</a>:</h4>
<p>nice, great work there <span class="user-mention" data-user-id="127617">@Shnatsel</span> !</p>



<a name="169411072"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/169411072" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#169411072">(Jul 01 2019 at 16:50)</a>:</h4>
<p>as it were, we're using <code>libflate</code> right now <span aria-label="weary" class="emoji emoji-1f629" role="img" title="weary">:weary:</span></p>



<a name="169412509"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/169412509" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#169412509">(Jul 01 2019 at 17:08)</a>:</h4>
<p>so does smallvec do anything that <code>heapless::Vec</code> doesn't?</p>



<a name="169413618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/169413618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#169413618">(Jul 01 2019 at 17:22)</a>:</h4>
<p>this looks interesting: <a href="https://blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/" target="_blank" title="https://blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/">https://blog.trailofbits.com/2019/07/01/siderophile-expose-your-crates-unsafety/</a></p>



<a name="174495807"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495807" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495807">(Aug 29 2019 at 21:50)</a>:</h4>
<blockquote>
<p>interesting <a href="https://twitter.com/FiloSottile/status/1075429069888598016" target="_blank" title="https://twitter.com/FiloSottile/status/1075429069888598016">https://twitter.com/FiloSottile/status/1075429069888598016</a></p>
</blockquote>
<p>so this shipped!</p>



<a name="174495828"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495828" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495828">(Aug 29 2019 at 21:50)</a>:</h4>
<p><a href="https://twitter.com/FiloSottile/status/1167156608545280005" target="_blank" title="https://twitter.com/FiloSottile/status/1167156608545280005">https://twitter.com/FiloSottile/status/1167156608545280005</a></p>
<div class="inline-preview-twitter"><div class="twitter-tweet"><a href="https://twitter.com/FiloSottile/status/1167156608545280005" target="_blank"><img class="twitter-avatar" src="https://pbs.twimg.com/profile_images/1028703543174225920/3cm3bMWC_normal.jpg"></a><p>The Go Checksum Database is now production ready, and will secure the module ecosystem starting with Go 1.13.

Extremely proud of this state-of-the-art auth system based on transparency trees (designed by <a href="https://twitter.com/_rsc" target="_blank" title="https://twitter.com/_rsc">@_rsc</a> and me, built by <a href="https://twitter.com/katie_hockman" target="_blank" title="https://twitter.com/katie_hockman">@katie_hockman</a>'s team).

<a href="https://t.co/pl5bPOVbOd" target="_blank" title="https://t.co/pl5bPOVbOd">https://blog.golang.org/module-mirror-launch</a></p><span>- Filippo Valsorda (@FiloSottile)</span></div></div>



<a name="174495836"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495836" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495836">(Aug 29 2019 at 21:50)</a>:</h4>
<p>looks really interesting</p>



<a name="174495872"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495872" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495872">(Aug 29 2019 at 21:51)</a>:</h4>
<p>I've been thinking a lot about a similar "binary transparency"-style reproducible build system</p>



<a name="174495887"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495887" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495887">(Aug 29 2019 at 21:51)</a>:</h4>
<p>although I am less excited about Trillian lately than I used to be</p>



<a name="174495912"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495912" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495912">(Aug 29 2019 at 21:51)</a>:</h4>
<p>I have a pretty crazy idea I need to flesh out better <span aria-label="wink" class="emoji emoji-1f609" role="img" title="wink">:wink:</span></p>



<a name="174495989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174495989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174495989">(Aug 29 2019 at 21:53)</a>:</h4>
<p>there are a ton of really good ideas in the Go Checksum Database though</p>



<a name="174558039"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174558039" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174558039">(Aug 30 2019 at 16:03)</a>:</h4>
<p>This looks neat. Perhaps bring it up on Reddit?</p>



<a name="174560185"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/174560185" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> jakubadamw <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#174560185">(Aug 30 2019 at 16:27)</a>:</h4>
<p>(deleted)</p>



<a name="185078376"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/185078376" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#185078376">(Jan 08 2020 at 03:38)</a>:</h4>
<p><a href="https://medium.com/@dlorenc/getting-serious-about-open-source-security-1d15609478fa" target="_blank" title="https://medium.com/@dlorenc/getting-serious-about-open-source-security-1d15609478fa">https://medium.com/@dlorenc/getting-serious-about-open-source-security-1d15609478fa</a></p>



<a name="185091624"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/185091624" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#185091624">(Jan 08 2020 at 09:16)</a>:</h4>
<p>the part about "serverless came and saved us all" makes me think this is satire? ;) (well I guess that part actually is. kinda hard to tell for a mostly-outsider :P )</p>



<a name="185106110"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/185106110" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#185106110">(Jan 08 2020 at 12:47)</a>:</h4>
<p>haha</p>



<a name="185106183"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/185106183" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#185106183">(Jan 08 2020 at 12:48)</a>:</h4>
<p>[img:can'thaveXifyoudon'tY] ...software supply chain attacks if you don't have servers.. <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>



<a name="185121601"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/crate%20security/near/185121601" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/crate.20security.html#185121601">(Jan 08 2020 at 15:17)</a>:</h4>
<p>Yeah everything under the first heading is satire</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>